VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-rsxs-u5cc-rkgj

Essentials
Severities (16)
References (17)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-rsxs-u5cc-rkgj
Aliases	CVE-2026-32990 GHSA-8mc5-53m5-3qj2
Summary
Status	Published
Exploitability	0.5
Weighted Severity	6.6
Risk	3.3
Affected and Fixed Packages	Package Details

Weaknesses (2)

CWE-20	Improper Input Validation
CWE-184	Incomplete List of Disallowed Inputs

System	Score	Found at
cvssv3	7.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32990.json
epss	0.00041	https://api.first.org/data/v1/epss?cve=CVE-2026-32990
epss	0.00041	https://api.first.org/data/v1/epss?cve=CVE-2026-32990
epss	0.00041	https://api.first.org/data/v1/epss?cve=CVE-2026-32990
apache_tomcat	Moderate	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32990
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-8mc5-53m5-3qj2
cvssv3.1	5.3	https://github.com/apache/tomcat
cvssv4	6.9	https://github.com/apache/tomcat
generic_textual	MODERATE	https://github.com/apache/tomcat
cvssv3.1	5.3	https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
cvssv4	6.9	https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
generic_textual	MODERATE	https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
ssvc	Track	https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
cvssv3.1	5.3	https://nvd.nist.gov/vuln/detail/CVE-2026-32990
cvssv4	6.9	https://nvd.nist.gov/vuln/detail/CVE-2026-32990
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-32990

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32990.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-32990
		https://github.com/apache/tomcat
		https://github.com/apache/tomcat/commit/021d1f833e38b683a44688f7b28f1f27e8e37c36
		https://github.com/apache/tomcat/commit/4d0615a5c718c260d6d4e0b944a050f09a490c02
		https://github.com/apache/tomcat/commit/95f7778248cac46d03e6af04de9c72a598be3a53
		https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7
		https://nvd.nist.gov/vuln/detail/CVE-2026-32990
		https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53
		https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20
		https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
1133356		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133356
1133357		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1133357
2457025		https://bugzilla.redhat.com/show_bug.cgi?id=2457025
CVE-2026-32990		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32990
CVE-2026-32990		https://www.herodevs.com/vulnerability-directory/cve-2026-32990
GHSA-8mc5-53m5-3qj2		https://github.com/advisories/GHSA-8mc5-53m5-3qj2

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32990.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/apache/tomcat

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-10T18:38:40Z/ Found at https://lists.apache.org/thread/1nl9zqft0ksqlhlkd3j4obyjz1ghoyn7

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32990

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-32990

Attack Vector (AV)	Attack Complexity (AC)	Attack Requirements (AT)	Privileges Required (PR)	User Interaction (UI)	Vulnerable System Impact Confidentiality (VC)	Vulnerable System Impact Integrity (VI)	Vulnerable System Impact Availability (VA)	Subsequent System Impact Confidentiality (SC)	Subsequent System Impact Integrity (SI)	Subsequent System Impact Availability (SA)
network adjacent local physical	low high	none present	none low high	none passive active	high low none	high low none	high low none	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Attack Requirements (AT)

Privileges Required (PR)

User Interaction (UI)

Vulnerable System Impact Confidentiality (VC)

Vulnerable System Impact Integrity (VI)

Vulnerable System Impact Availability (VA)

Subsequent System Impact Confidentiality (SC)

Subsequent System Impact Integrity (SI)

Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.12443
EPSS Score	0.00041
Published At	April 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-10T00:03:26.032697+00:00	Apache Tomcat Importer	Import	https://tomcat.apache.org/security-11.html	38.1.0